Most people repeat the same password across several of their accounts or, what is more serious, set the same password for all their accounts in any way. There is no doubt that this is not a safe practice at all. Cybercriminals are gaining access to databases stolen from breached websites, according to Checkpoint, a provider of cybersecurity solutions. There is an underground market for databases that exist as a result of this lax behavior from cyber criminals.
Harish Kumar, Head of Enterprise at Checkpoint wrote a blog post in which he warns that using the same password for personal and corporate accounts can be very dangerous since if hackers find a way to obtain credentials for personal accounts, they could potentially gain admin-level access to an organization.
The report goes on to add that even though people know about the risks of recycling passwords, many of them continue to do so because they find it difficult to manage and memorize many passwords and they do not feel safe doing so.
The state of passwords in India
A report regarding password usage by Nordpass found that Indians struggle badly when it comes to passwords. According to the report, "password" was rated as the most popular password in the country, as well as "123456" and "12345678." Each of these password codes took less than a second to crack. This could be one of the reasons why, as of 2017, India ranks as the fourth country in the world when it comes to consumer losses due to cybercrime. However, it is not the only one.
Several data theft cases have also been reported in India in the past few months. The rise in digital adoption is largely responsible for a jump like this. This can be attributed largely to the pandemic in general and its resultant push toward studying and working online. According to the cyber-security company, many new users of the Internet and companies are unaware of cybersecurity, which is increasing cybercrimes.
According to Checkpoint, tougher security policies that impose stronger passwords are also counterproductive and, paradoxically, are viewed negatively.
The benefits of lax cybersecurity for cybercriminals
This is an extremely crucial point to note that Checkpoint's report emphasizes that attackers were able to quickly identify this negligence. They became aware that they could better utilize these resources on smaller websites with weaker security.
There is an official requirement from the National Institute of Standards and Technology (NISST) that all passwords should be salted with at least 32 bits and hashed using a one-way key derivation function according to the report. However, many websites fail to adhere to this law, and some even store passwords in plain text. In this manner, hackers can then use the credentials they have stolen from those sites to log into more valuable websites and online services.
Furthermore, Checkpoint adds to note that cybercriminals who hack websites and steal passwords are more likely to be the ones who use them most effectively. This is compared to those who hack websites and take passwords. A more likely option for them would be to sell stolen credentials instead. Depending on whether they unlock admin-level access to an organization, some of these can sell for as much as $120,000 each.
"Combination lists," which are vast compilations of many databases of stolen email addresses and passwords, are used to compile stolen passwords, a large number of which have already been compromised. There has been a report that describes the largest combo of usernames and passwords of all time, named RockYou2021. This combo contained over 8 billion unique sets of usernames and passwords, as of August 2016.
Checkpoint states that these stolen credentials are utilized in credential-stuffing attacks against organizations. Cyberterrorists use credentials retrieved from one site after a data breach to log in to another that has been attacked, thus carrying out this type of cyberattack. An extremely common method of committing such attacks involves large-scale automated login requests that are carried out to access accounts such as those set up by users, banking, social media, and a variety of online accounts.
Staying safe is easy if you know what to do
A simple way to help keep your passwords safe is to make sure that you do not use them under any circumstances. A compromise of one account can easily lead to a compromise of the other, which will then lead to a chain of attacks.
It is important to try to come up with creative word combinations. This is because special characters by themselves do not make highly secure passwords if one is a common keyword. A password such as "pass@123" contains letters, numbers, and a symbol, yet according to the Indian Government, it is the sixth most popular password out of the top 100. Also, if possible, you should use two-factor authentication to increase security.